PDF files were responsible for 8% of threats in Q2 2025, a 2 percentage point fall compared to Q1 2025.

PDFs remain the preferred vehicle for delivering malicious attachments in phishing, at 64%.

NortonLifeLock, PayPal, and Geek Squad were among the most impersonated brands in TOAD emails with PDF attachments

Microsoft and Docusign were among the most frequently impersonated brands in phishing emails with PDF attachments.

In attachment-based campaigns, people were most likely to open certain file types: PDFs (53%), HTML files (28.5%), Word files (18.5%).

Bitcoin sextortion scams account for 12% of malicious PDF attachments.

PDF attachments are used in 36% of phishing attacks as favoured attachments

68% of malicious PDF attachments contain QR codes designed to take users to phishing websites.

In attachment-based campaigns, people were most likely to open certain file types: PDFs (53%), HTML files (28.5%), Word files (18.5%).

Of all PDFs used in malicious spam, 42% used obfuscated URLs, 28% hid their URLs in PDF streams, and 7% were delivered in an encrypted form along with a password.

Malicious PDF documents were the third most popular threat file type isolated by HP Sure Click in Q4 2024

Threats delivered in PDF documents accounted for 10% in Q4 2024

10% of threats were PDF files in Q4 2024

PDF files were responsible for 9% of threats detected in Q3 2024, showing a 2% point rise compared to Q2 2024.